Very High
CVE-2020-8899 Samsung Quarm RCE via MMS
CVE-2020-8899 Samsung Quarm RCE via MMS
Description
There is a buffer overwrite vulnerability in the Quram qmg library of Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747.
Add Assessment
Technical Analysis
This CVE collectively describes 5218 unique crashes that were reported to Samsung by a Google Project Zero researcher. The crashes occur within the Skia library and are related to the processing of Qmage images. The Qmage image format was developed by a third-party company but was added to the Skia Android library on Samsung phones. These bugs can be triggered remotely and without interaction by sending MMS messages to the target device.
The vulnerability does not affect all Android devices, only those with the modified Skia library distributed by Samsung on their phones. It’s likely that other exploit delivery scenarios are viable but may require user interaction to trigger rendering the image.
Successful exploitation requires bypassing ASLR which reportedly can be achieved remotely by sending multiple messages to the target. Further details on this aspect of the exploit are not currently public and contribute to the complexity of weaponizing a PoC for this vulnerability. Successfully exploiting the vulnerability yields code execution within the context of the exploited process. In the case of the messenger application, this could be used to leak text messages.
Technical Analysis
Here’s a few of links:
https://twitter.com/j00ru/status/1258066559765004295
https://bugs.chromium.org/p/project-zero/issues/detail?id=2002
https://security.samsungmobile.com/securityUpdate.smsb
Samsung devices are among the most popular Android platforms out there. They last a long, long time, and often quietly go EOL / end of support, and keep on trucking for years. So, for many millions of targets, this is effectively forever-day.
One downside for attackers is that it does seem to require a fair bit of time to exploit — the video demo shows exploitation taking about an hour and a half or so, and it leaves a few hundred unread MMS messages in the queue. This time cost and the attendant lack of stealth means that attacks need to happen specifically when the user isn’t active on the phone — kind of the opposite of “requires user interaction,” but close enough for the ding on scoring, above.
Maybe a middle-of-the-night attack, with a follow-up cleanup, would be enough to avoid detection, but you might need to chain another exploit for a privilege escalation to get you write/delete access to the message queue — the attacker assumes the privileges of Samsung Messages, which is pretty good, but it’s not root,
CVSS V3 Severity and Metrics
General Information
Vendors
- Samsung
Products
- Android OS
References
One mitigation strategy here is to either turn off your phone, or switch to Airplane Mode (without WiFi), if you know you’re not going to be paying attention to it for a while. At least, until your carrier releases the Samsung patch to you.
On the bright(?) side: this is a bug that is nearly perfect for law enforcement that has a phone in custody and no other way to access stored photos and messages given a warrant to do so.